revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-20 20:40:56 +01:00
Code Issues Releases Wiki Activity

Detect developer error when constructing forms with absolute URIs

Browse source 
Summary: Ref T1921. Ref T4339. If you `phabricator_form()` with an absolute URI, we silently drop the CSRF tokens. This can be confusing if you meant to specify `"/some/path"` but ended up specifying `"http://this.install.com/some/path"`. In all current cases that I can think of / am aware of, this indicates an error in the code. Make it more obvious what's happening and how to fix it. The error only fires in developer mode.

Test Plan: Hit this case, also rendered normal forms.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4339, T1921

Differential Revision: https://secure.phabricator.com/D8044
This commit is contained in:
epriestley 2014-01-23 14:03:28 -08:00
parent 69ddb0ced6
commit a2515921b6
1 changed files with 41 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
src/infrastructure/javelin/markup.php
View file

@ -38,8 +38,32 @@ function javelin_tag(
function phabricator_form(PhabricatorUser $user, $attributes, $content) { function phabricator_form(PhabricatorUser $user, $attributes, $content) {
$body = array(); $body = array();
if (strcasecmp(idx($attributes, 'method'), 'POST') == 0 && $http_method = idx($attributes, 'method');
!preg_match('#^(https?:|//)#', idx($attributes, 'action'))) { $is_post = (strcasecmp($http_method, 'POST') === 0);
$http_action = idx($attributes, 'action');
$is_absolute_uri = preg_match('#^(https?:|//)#', $http_action);
if ($is_post) {
if ($is_absolute_uri) {
$is_dev = PhabricatorEnv::getEnvConfig('phabricator.developer-mode');
if ($is_dev) {
$form_domain = id(new PhutilURI($http_action))
->getDomain();
$host_domain = id(new PhutilURI(PhabricatorEnv::getURI('/')))
->getDomain();
if (strtolower($form_domain) == strtolower($host_domain)) {
throw new Exception(
pht(
"You are building a <form /> that submits to Phabricator, but ".
"has an absolute URI in its 'action' attribute ('%s'). To avoid ".
"leaking CSRF tokens, Phabricator does not add CSRF information ".
"to forms with absolute URIs. Instead, use a relative URI.",
$http_action));
}
}
} else {
$body[] = phutil_tag( $body[] = phutil_tag(
'input', 'input',
array( array(
@ -56,6 +80,7 @@ function phabricator_form(PhabricatorUser $user, $attributes, $content) {
'value' => true, 'value' => true,
)); ));
} }
}
if (is_array($content)) { if (is_array($content)) {
$body = array_merge($body, $content); $body = array_merge($body, $content);